From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mail-pj1-f65.google.com (mail-pj1-f65.google.com [209.85.216.65])
 by mx.groups.io with SMTP id smtpd.web12.41414.1591029214904072224
 for <devel@edk2.groups.io>;
 Mon, 01 Jun 2020 09:33:34 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@corthon-com.20150623.gappssmtp.com header.s=20150623 header.b=peCQUFj1;
 spf=none, err=permanent DNS error (domain: corthon.com, ip: 209.85.216.65, mailfrom: bret@corthon.com)
Received: by mail-pj1-f65.google.com with SMTP id h95so57229pje.4
        for <devel@edk2.groups.io>; Mon, 01 Jun 2020 09:33:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=corthon-com.20150623.gappssmtp.com; s=20150623;
        h=from:to:cc:subject:date:message-id:in-reply-to:references
         :mime-version:content-transfer-encoding;
        bh=mZUzc0OfYieMpPBtZi8pllDbrKX4iIjbPL4HKaQKp4M=;
        b=peCQUFj1TOoxAtWhGXih6sDSZ3zauzbcb+ldLtDpcmjthZuZm57XDwyAq4LKBpPwLu
         15G6AFjpmZf62UHeose+fhlOOC3qq8+YAu1Gt45XLXVUevfYI4P8wfOzhh5+BBUoIvl9
         8NT20ocx7SJQZ0Atcxgosu8vQ4tsqISRLV5kXqr/fh3OMUGJoUzbyU3XPG0ZGy6OW0Hq
         ewmD+HjsokbKeTsSTiiL3KY7PW47lk7fVXzK5OdNurcoc7lurZBaschbz+ISoP0B4n8u
         bMuu0aJFQ8Ybfz26hyIEN8EWbP/ylGr6dOlShIkabmCDkEVfwMz77Pl58oycQFrBhU4f
         7MEw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
         :references:mime-version:content-transfer-encoding;
        bh=mZUzc0OfYieMpPBtZi8pllDbrKX4iIjbPL4HKaQKp4M=;
        b=RwuobIo+7zHlTDIGwERDB5JBtFVivAhMjm9MACtNtFqgDgPZJADARo/h6uPW6RyuGv
         LQV0/Uxbik77myl+aPORnKo4lhYo42VGrQ3qHzIAcqXhtEdDJsjiLd/ofLT1JNrgMkz0
         GkzdglIJt8LkvBMopLQy8XDY5x2joYWY9lOAv9J9awPIFaCRsGFlmZ8Lg5p7ueOsT2+s
         PoIrhcrqTp7PXxsm2+3B82Xjf4WmEKi0umrO3xSJwgfYUFxv5Rw1BcFRf4vQPAjiI253
         B414hArhW67ONsE3CjvtuRi9euzstPkKmnN4VIR6RVwKk89i1ZPWW+uIBhDG4XJb96+b
         0Cfg==
X-Gm-Message-State: AOAM530fxc1EqTr/QB8S/vcTKJPxz0yp1jw0tAzlQ3fh6hE7648Isbtl
	GY92Sm/RTwMC3EJ2ilPGq5fEiYs+jTE=
X-Google-Smtp-Source: ABdhPJx32kfU3pqWslG6F6b+ywn4mItNFaN73arkRBBu6TqYhFsni+UiXXddiym1tH5EmPUSYTe1AQ==
X-Received: by 2002:a17:902:7281:: with SMTP id d1mr21740991pll.78.1591029214263;
        Mon, 01 Jun 2020 09:33:34 -0700 (PDT)
Return-Path: <bret@corthon.com>
Received: from localhost.localdomain ([71.212.144.72])
        by smtp.gmail.com with ESMTPSA id np5sm91178pjb.43.2020.06.01.09.33.33
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 01 Jun 2020 09:33:33 -0700 (PDT)
From: Bret Barkelew <bret@corthon.com>
X-Google-Original-From: Bret Barkelew <brbarkel@microsoft.com>
To: devel@edk2.groups.io
Cc: Jian J Wang <jian.j.wang@intel.com>,
	Hao A Wu <hao.a.wu@intel.com>,
	Liming Gao <liming.gao@intel.com>
Subject: [PATCH v4 10/14] MdeModulePkg: Allow VariablePolicy state to delete protected variables
Date: Mon,  1 Jun 2020 09:33:06 -0700
Message-Id: <20200601163310.1718-11-brbarkel@microsoft.com>
X-Mailer: git-send-email 2.26.2.windows.1.8.g01c50adf56.20200515075929
In-Reply-To: <20200601163310.1718-1-brbarkel@microsoft.com>
References: <20200601163310.1718-1-brbarkel@microsoft.com>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

https://bugzilla.tianocore.org/show_bug.cgi?id=3D2522

TcgMorLockSmm provides special protections for
the TCG MOR variables. This will check
IsVariablePolicyEnabled() before enforcing
them to allow variable deletion when policy
engine is disabled.

Only allows deletion, not modification.

Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Hao A Wu <hao.a.wu@intel.com>
Cc: Liming Gao <liming.gao@intel.com>
Cc: Bret Barkelew <brbarkel@microsoft.com>
Signed-off-by: Bret Barkelew <brbarkel@microsoft.com>
---
 MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockSmm.c          | 10 +=
+++++++++
 MdeModulePkg/Universal/Variable/RuntimeDxe/VariableStandaloneMm.inf |  2 ++
 2 files changed, 12 insertions(+)

diff --git a/MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockSmm.c b/M=
deModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockSmm.c
index 6d80eb64341a..085f82035f4b 100644
--- a/MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockSmm.c
+++ b/MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockSmm.c
@@ -5,6 +5,7 @@
   This module adds Variable Hook and check MemoryOverwriteRequestControlLo=
ck.=0D
 =0D
 Copyright (c) 2016 - 2018, Intel Corporation. All rights reserved.<BR>=0D
+Copyright (c) Microsoft Corporation.=0D
 SPDX-License-Identifier: BSD-2-Clause-Patent=0D
 =0D
 **/=0D
@@ -17,6 +18,10 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
 #include <Library/BaseMemoryLib.h>=0D
 #include "Variable.h"=0D
 =0D
+#include <Protocol/VariablePolicy.h>=0D
+=0D
+#include <Library/VariablePolicyLib.h>=0D
+=0D
 typedef struct {=0D
   CHAR16                                 *VariableName;=0D
   EFI_GUID                               *VendorGuid;=0D
@@ -341,6 +346,11 @@ SetVariableCheckHandlerMor (
     return EFI_SUCCESS;=0D
   }=0D
 =0D
+  // Permit deletion when policy is disabled.=0D
+  if (!IsVariablePolicyEnabled() && ((Attributes =3D=3D 0) || (DataSize =
=3D=3D 0))) {=0D
+    return EFI_SUCCESS;=0D
+  }=0D
+=0D
   //=0D
   // MorLock variable=0D
   //=0D
diff --git a/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableStandaloneM=
m.inf b/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableStandaloneMm.inf
index 6e17f6cdf588..d8f480be27cc 100644
--- a/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableStandaloneMm.inf
+++ b/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableStandaloneMm.inf
@@ -20,6 +20,7 @@
 #=0D
 # Copyright (c) 2010 - 2019, Intel Corporation. All rights reserved.<BR>=0D
 # Copyright (c) 2018, Linaro, Ltd. All rights reserved.<BR>=0D
+# Copyright (c) Microsoft Corporation.=0D
 # SPDX-License-Identifier: BSD-2-Clause-Patent=0D
 #=0D
 ##=0D
@@ -74,6 +75,7 @@ [LibraryClasses]
   StandaloneMmDriverEntryPoint=0D
   SynchronizationLib=0D
   VarCheckLib=0D
+  VariablePolicyLib=0D
 =0D
 [Protocols]=0D
   gEfiSmmFirmwareVolumeBlockProtocolGuid        ## CONSUMES=0D
--=20
2.26.2.windows.1.8.g01c50adf56.20200515075929